Troubleshooting FIM 2010

Use this Troubleshooting Guide to help diagnose and resolve common issues encountered in your Microsoft® Forefront® Identity Manager (FIM) 2010 environment.

FIM Service

Workflow activities

Web Service Interface

Exchange Mail Listener

Configuration Migration

FIM Service Performance Counters

FIM Portal

FIM Synchronization Service

FIM Service

The FIM Service makes diagnostic information available in four primary ways:

  1. Simple Object Access Protocol (SOAP) faults

    • SOAP faults include diagnostic information that appears in the diagnostic log for the FIM management agent (MA). This information is not included by default for normal FIM Portal requests, and the FIM Portal user interface (UI) is not presently capable of displaying it.
  2. Requests

    • Request resources record the outcome of all operations in the FIM Service.

    • For more information, see the Workflow activities section.

  3. FIM diagnostic log

    • The FIM log is an application-specific log found in the Event Viewer under Applications and Services Logs.

    • The diagnostic log contains all Microsoft .NET exceptions from the FIM Service.

      Note

      Many exceptions are expected and are desirable behavior.

    • This log should be used only to diagnose specific errors and not to monitor the health of the service.

    • Events are logged in the diagnostic log from both the FIM Service in Microsoft.ResourceManagement.Service.exe.config (FIM Service installation directory) and the FIM Portal in the web.config file (C:\inetpub\wwwroot\wss\VirtualDirectories\80).

  4. Health Events

    • Health Events are a set of specific events that the FIM Service emits to the Application Log when root cause failures occur.

Workflow activities

Scenario: A request fails

Resolution

The first resolution step for any request failure is to inspect the request resource.

To find the status of the request

  1. Find the request in Search Requests or in My Requests (use My Requests if you are investigating your own request).

  2. Open the request resource.

  3. On the Detailed Content tab, review the actual requested changes.

  4. Note the value that is listed in Request Status.

Case 1: Request Status is “Denied”

If the Request Status is Denied, refer to the Scenario: A request’s Request Status is “Denied” section.

Case 2: Request Status is “Failed”

If the Request Status is Failed, refer to the Scenario: A request’s Request Status is “Failed” section.

Case 3: Request cannot be found

If the request resource cannot be found, an error was likely encountered during the process of creating the request. The request may have timed out. The default timeout configuration for operations submitted to the FIM Service is 58 seconds, so if you notice that the request is taking longer than 58 seconds to process, the problem is likely due to a timeout.

To collect more information to investigate the issue

  1. Repeat the request that is failing.

  2. Click Start, Programs, Administrative Tools, and then click Event Viewer.

  3. Click Applications and Service Logs, and then double-click Forefront Identity Manager.

  4. Search for an error event that occurred near the same time.

  5. Information in the error should inform you about what system constraint or workflow activity failure prevented the request from succeeding.

Scenario: A request’s Request Status is “Denied”

A request failed and the Request Status of the request has a value of Denied.

Resolution

Case 1: Insufficient permissions for the requested operation

To verify that the user, represented as the Creator of the request, has permission to make the request:

  1. Open the request resource and view the Applied Policy page. If no Management Policy Rule (MPR) is listed on the page that grants permission to the request, you have confirmed that the problem is due to insufficient permissions.

Note

Alternatively, you can use the MPR Explorer feature in the FIM Portal to verify that a permission-granting MPR exists for that user’s request. If no MPR granting permissions to the requested operation exists, review the existing MPR configuration and consider changing it to allow the request.

Note

Remember that permission must be granted for the user to modify the requested attributes.

Case 2: Authentication or authorization failed

To verify if the request failed authentication or authorization, start by opening the denied request and viewing the Applied Policy page. See if any MPRs that apply authentication or authorization workflows are listed on this page.

If any MPRs that apply authentication or authorization workflows are listed on the Applied Policy page, view the value of the Request Status Detail attribute of the request resource. In the Normal View of the request resource in the FIM Portal, the Request Status Detail attribute is named Request Workflow Remarks.

If the information included in the Request Status Detail attribute does not clearly indicate an error in an authentication or authorization workflow, search for terminated authentication and authorization workflows associated with the request.

To search for terminated authentication and authorization workflows associated with the request

  1. Log on to the FIM Portal as an administrator.

  2. On the home page, under Administration, click All Resources, and then click Workflow Instance.

  3. Click Advanced Search.

  4. Click Add Statement, then click Click to select attribute and select Resource.

  5. Click Click to select value and select the request by either searching by its Display Name or its ResourceID.

  6. Click Add Statement, then click Click to select attribute and select Workflow status.

  7. Click Click to select value, type Terminated, and then click Search.

Note

As an alternative to using the advanced search, a search scope with the following XPath filter can be used to identify only the terminated authentication and authorization workflows: /WorkflowInstance[Request = '2b2bb0b4-695d-43f5-b167-d479834756ff' and WorkflowStatus = 'Terminated' and WorkflowDefinition = /WorkflowDefinition[RequestPhase = 'Authorization' or RequestPhase = 'Authentication']]

Note

The ResourceID of the request that you are investigating needs to be used in place of the previous example for the Request = condition.

If you find that any of the workflow instances returned is an instance of an authentication or authorization workflow definition, you have discovered the reason for the denied request.

To understand why the workflow instance was terminated, refer to the Scenario: A workflow instance was terminated section.

Case 3: The request violated constraints of the FIM Service

It is possible that the requested operation violates FIM schema constraints, such as not supplying a value for a required attribute or supplying an invalid value.

It is also possible that the requested operation violates a fundamental constraint of the FIM Service.

View the request resource and its request details to see if any of the requested operations violate FIM Service constraints.

Case 4: The requested operation timed out

It is possible that the requested operation did not finish within the timeout threshold permitted by the FIM Service. The timeout setting for Read or Query operations is governed by the dataReadTimeoutInSeconds setting. The timeout setting for Create, Update or Delete operations is governed by the dataWriteTimeoutInSeconds setting. Extending these timeout settings may be needed for some large operations such as the creation, modification, or deletion of a large set or group.

The timeout settings can be modified in the Microsoft.ResourceManagement.Service.Exe.Config file.

For example, the following statement sets the Read and Write timeouts to 1 hour. If a value is not specified in the configuration file, the default value of 58 seconds is used for each timeout.

<?xml version="1.0" encoding="utf-8"?><configuration><resourceManagementService dataReadTimeoutInSeconds="3600" dataWriteTimeoutInSeconds="3600"/></configuration>

To avoid a timeout in the FIM Portal, the timeoutInMilliseconds setting in the resourceManagementClient section of the Microsoft.ResourceManagement.Service.Exe.Config file and the Windows SharePoint® Servicesweb.config need to be adjusted. For example:

<?xml version="1.0" encoding="utf-8"?><configuration> <resourceManagementClient timeoutInMilliseconds="3600" /></configuration>

Note

The FIM Service must be restarted for the FIM Service configuration setting changes to take effect. The Microsoft Identity Integration Server (IIS) World Wide Web Publishing Service (W3SVC) must be restarted for the FIM Portal configuration setting changes to take effect.

You can verify if the requested operation timed out by analyzing the FIM Application Log in the Event Viewer and searching for an error event around the same time of the failed request. The error message should indicate a timeout occurred.

Case 5: The FIM Service was interrupted while processing the request

It is possible that the requested operation was affected by a FIM Service interruption.

In particular, if a request had not yet reached the Authenticated state at the time of a FIM Service interruption, the request is canceled by the FIM Service upon startup and results in a Denied status.

To identify the error that prevented the request from succeeding

  1. Repeat the failing request.

  2. Click Start, Programs, Administrative Tools, and then click Event Viewer.

  3. Click Applications and Service Logs, and then double-click Forefront Identity Manager.

  4. Search for an error event at around the same time.

  5. Information in the error should inform you about what prevented the request from succeeding.

If a request failed because of a FIM Service interruption, the only solution is to resubmit the request.

Scenario: A request’s Request Status is “Failed”

A request failed and the Request Status of the request has a value of Failed.

Resolution

A request results in a Failed status only when it encounters a failure while committing the requested operation to the FIM Service database.

It is possible that the requested operation violates a fundamental constraint of the FIM Service.

If the request did not violate a FIM Service constraint, the request may have encountered an unexpected error or timed out.

The following steps can be taken to identify the error that prevented the request from succeeding:

To identify the error that prevented the request from succeeding

  1. Repeat the failing request.

  2. Click Start, Programs, Administrative Tools, and then click Event Viewer.

  3. Click Applications and Service Logs, and then double-click Forefront Identity Manager.

  4. Search for an error event that occurred near the same time.

  5. Information in the error should inform you about the system constraint or other error that prevented the request from succeeding. If the problem is due to a timeout, try extending the FIM Service Read and Write timeout and retrying the request.

Scenario: A workflow fails to start

A requested workflow activity fails to start.

Resolution

If the workflow was part of a configuration migration, ensure that the product version numbers were the same.

While migrating configurations across version numbers is not recommended or supported, you can often do this by replacing the pilot version number with the production version number in pilot.xml. Specifically, WorkflowDefinition and ActivityInformationConfiguration objects require the version number to refer precisely to workflow activities in the production environment. Failing to replace the version number results in the Compare-FIMConfig cmdlet identifying differences between the XOML attributes on WorkflowDefinitions and migrating the pilot’s version number. The production FIM Service may fail to start workflow activities with the incorrect version number.

Scenario: A request’s Request Status is "PostProcessingError”

A request completed its operation but its Request Status has a value of PostProcessingError.

Resolution

A request has a Request Status of PostProcessingError if any Action workflows triggered by the request failed or if any Collateral Requests linked to the request failed.

Case 1: An Action workflow failed

To determine if an Action workflow triggered by the request failed, first view the Request Status Detail attribute of the request to see if any errors were logged by workflows run for the request. The Request Status Detail attribute is named Request Workflow Remarks in the FIM Portal’s Normal View of the request resource.

If the information in the Request Status Detail attribute does not help to diagnose the problem, perform the following procedure.

To search for terminated authentication and authorization workflows associated with the request

  1. Log on to the FIM Portal as an administrator.

  2. On the home page, under Administration, click All Resources, and then click Workflow Instance.

  3. Click Advanced Search.

  4. Click Add Statement, then click Click to select attribute and select Resource.

  5. Click Click to select value and select the request by either searching by its Display Name or its ResourceID.

  6. Click Add Statement, and then click Click to select attribute and select Workflow status.

  7. Click Click to select value, type Terminated, and then click Search.

Note

As an alternative to using the advanced search, a search scope with the following XPath filter can be used to identify only the terminated Action workflows: /WorkflowInstance[Request = '2b2bb0b4-695d-43f5-b167-d479834756ff' and WorkflowStatus = 'Terminated' and WorkflowDefinition = /WorkflowDefinition[RequestPhase = 'Action' ]]

Note

The ResourceID of the request that you are investigating needs to be used in place of the previous example for the Request = condition.

If any of the workflow instances are returned, to understand why the workflow instance was terminated, refer to Scenario: A workflow instance was terminated. If no workflows are returned, refer to Case 2: A Collateral Request failed.

Case 2: A Collateral Request failed

To determine if a Collateral Request triggered by the request failed

  1. Log on the FIM Portal as an administrator, click Search Requests, and then locate the Request.

  2. Open the request and click the Advanced View button.

  3. From Advanced View, go to the Extended Attributes page to see if the Has Collateral Request option is selected.

If the request does have Collateral Requests, perform the following steps:

  1. Log on to the FIM Portal as an administrator.

  2. On the home page, under Administration, click Search Requests.

  3. Click Advanced Search.

  4. Click Add Statement, then click Click to select attribute and select Parent Request.

  5. Click Click to select value and select the request by either searching by its Display Name or its ResourceID.

  6. Click Add Statement, then click Click to select attribute and select Workflow status.

  • If any of the requests returned have a Status of Denied, refer to the Scenario: A request’s Request Status is “Denied” section.

  • If any of the requests returned have a Status of Failed, refer to the Scenario: A request’s Request Status is “Failed” section.

  • If any of the requests returned have a Status of PostProcessingError, repeat the steps in this section for the request.

Scenario: A request’s status may be stuck

A request has had the same Request Status value for an extended period of time.

Resolution

As a starting point, view the value for the Request Status attribute of the request resource in question. The value of Request Status can be an indication of different causes for the problem.

Case 1: Request Status is “Authorizing” or “PostProcessing”

A request with a Request Status of Authorizing or PostProcessing is in the process of running workflows.

To verify that the request does indeed have running workflows, perform the following steps in the FIM Portal:

To verify that the request has running workflows

  1. Log on to the FIM Portal as an administrator.

  2. On the home page, under Administration, click All Resources, and then click Workflow Instance.

  3. Click Advanced Search.

  4. Click Add Statement, then click Click to select attribute and select Request.

  5. Click Click to select value and select the request by either searching by its Display Name or its ResourceID.

  6. Click Add Statement, then click Click to select attribute and select Workflow status.

  7. Click Click to select value, type Terminated, and then click Search.

Note

As an alternative to using the advanced search, a search scope with the following XPath filter can be used to identify the running workflows: /WorkflowInstance[Request = '2b2bb0b4-695d-43f5-b167-d479834756ff' and WorkflowStatus != 'Completed’ and WorkflowStatus != 'Terminated’]

Note

The ResourceID of the request that you are investigating needs to be used in place of the previous example for the Request = condition.

If no running authorization or Action workflows were found by using steps 1–3 listed previously, and the request has no active Collateral Requests, you need to cancel and resubmit the request.

If running authorization or Action workflows were found for the request, refer to Scenario: A workflow’s status may be stuck.

Case 2: Request Status is “Canceling”

A request with a Request Status of Canceling has had a Cancel command issued to it and is waiting for the request’s associated workflows to finish or be canceled and any Collateral Requests to finish or be canceled. If the request has a large number of workflows or Collateral Requests associated with it, the request may remain in the Canceling status for an extended period of time.

Note

The default maximum request cancel rate is 1,200 requests per minute.

Case 3: Request Status is “Validating,” “Validated,” or “Authenticating”

Requests with Request Status values of Validating, Validated, or Authenticating need to be canceled.

Case 4: Request Status is “Committed”

If a request has a Request Status of Committed, it was likely interrupted by a FIM Service interruption. Restarting the FIM Service should resolve the issue; otherwise, the request should be canceled.

Note

A request with a Request Status of Committed has already performed its requested operation. The work remaining for such a request is the execution of any applicable Action workflows.

Scenario: Unable to approve a request

A user approves a request but the approval is denied by the FIMService.

Resolution

This can occur when two FIM Service and FIM Portal servers are configured and both have e-mail processing enabled. If the request originates from one server and the approval is sent to the other server, the approval will fail as the Authorization workflow resides on a different ServicePartition.

In this scenario, it is recommended to turn off e-mail processing on one of the servers.

Scenario: A workflow’s status may be stuck

A workflow has had the same Workflow Status value for an extended period of time.

Resolution

As a starting point, view the value for the Request Status attribute of the request resource in question. The value of the Request Status can be an indication of different causes for the problem.

Case 1: Workflow Status is “Created” or “Pending”

A workflow that has had a Workflow Status of Created or Pending for an extended period of time does not automatically correct itself without intervention. Restarting the FIM Service that created the workflow directs the FIM Service to attempt to resume the execution of this workflow. Alternatively, the workflow can be canceled by canceling the associated request.

Note

Canceling the associated request also cancels all other workflows that have not yet finished.

Case 2: Workflow Status is “Running” and the workflow is waiting for input

A workflow that is waiting for input before proceeding to the next step in its execution will remain stuck in a running status until the input is provided. For example, an Approval activity cannot finish until it receives the required number of approval responses or reaches its expiration threshold.

To complete the execution of this workflow, the input the workflow is waiting for must be provided. If the situation is one where the provider of the input is no longer available, you can cancel the workflow by canceling the associated request.

Note

Canceling the associated request also cancels all other workflows that have not yet finished.

Case 3: Workflow Status is “Running” and workflow is attempting to send e-mail messages

If the workflow uses EmailNotificationActivity or ApprovalActivity and was unable to send e-mail messages, the workflow retries sending e-mail messages based on a delayed approach.

Wait up to 48 hours for the workflow to attempt to complete sending the e-mail messages. If this time passes and the workflow remains in Running status, you need to cancel and resubmit the request if it is not in the PostProcessing state. If the request is in the PostProcessing state, you can cancel the request, which terminates the running Action workflows. The workflows can be rerun by creating a new MPR with the workflow definition that you want and with run on policy update turned on, targeting a set that contains the resources to run the workflow against.

Case 4: Workflow Status is “Running” and the workflow is queued behind many other running workflows

If there are many other workflows currently running, this creates a long queue of workflows until system resources are available for them.

To view how many workflows are currently running in the environment

  1. Log on to the FIM Portal as an administrator.

  2. On the home page, under Administration, click All Resources, and then click Workflow Instance.

  3. Click Advanced Search.

  4. Click Add Statement, then click Click to select attribute and select Workflow Status.

  5. Click Click to select value, type Running, and then click Search.

If a large number of workflows are returned (> 1000), there is a good possibility that the running workflow queue is very large and some workflows will remain running for an extended period of time. The reason a workflow may remain in a running status without actually executing its tasks and finishing is because there are no available CPU threads for it, since they are all being used by other running workflows.

As a first step, repeat the previously listed steps 1–5 periodically to verify that the number of running workflows is gradually decreasing. If the rate of execution of the workflows is not high enough, an option is to increase the number of CPU threads available for the workflows to use. This in turn allows more workflows to actively execute simultaneously.

The maximum number of simultaneously executing workflows can be configured in the Microsoft.ResourceManagement.Service.exe configuration file belonging to the FIM Service. There are two settings that can be added to the configuration file to control the number of simultaneous executing workflows. These settings are described in the following table.

Setting Example usage Supported values Default value

maxSimultaneousAuthenticationWorkflows

<configuration>…….<resourceManagementService maxSimultaneousAuthenticationWorkflows = “200” />…</configuration>

[0,Int32.Max]

A value of 0 results in all workflows being throttled and no workflows being started.

The default value for this method is 5 for a single-processor computer and (int)(5 * Environment.ProcessorCount * .8) for a multiple-processor computer.

maxSimultaneousAuthorizationAndActionWorkflows

<configuration> …<resourceManagementService maxSimultaneousAuthorizationAndActionWorkflows = “200” />…</configuration>

[0,Int32.Max]

A value of 0 results in all workflows being throttled and no workflows being started.

The default value for this is 5 for a single-processor computer,and (int)(5 * Environment.ProcessorCount * .8) for a multiple-processor computer.

Note

The workflow configuration settings in the previous table directly configure the DefaultWorkflowSchedulerService.MaxSimultaneousWorkflows Property. (https://go.microsoft.com/fwlink/?LinkId=186741).

Modification of these settings does not take effect until the FIM Service is restarted.

Important

Caution should be used when modifying these workflow throttle settings because setting a number too high may starve the system of resources for other tasks while setting the number too low may negatively impact workflow throughput. It is recommended that changes to these settings be tested in a test environment before implementing in a production environment.

Case 5: Workflow Status is “Running” and a qualifying Service Name and Service Partition Name cannot be found

When a request or workflow instance is created, it is tied to the Service Partition Name of the FIM Service that created it. A request or workflow instance can only be managed by a FIM Service instance that has the same Service Partition Name as the FIM Service that created it.

If a workflow instance appears to be stuck, identify the request referenced by the workflow instance’s ParentRequest attribute.

To identify the request referenced by the workflow instance’s ParentRequest attribute

  1. Open the request resource in the FIM Portal.

  2. To display the additional attributes for the request resource, click Advanced View, and then click Extended Attributes.

  3. View the value of the Service Partition Name attribute and determine if any FIM Service installations have this value specified in their Microsoft.ResourceManagement.Service.Exe.config file for the servicePartitionName setting.

Note

If no value is specified for servicePartitionName in the configuration file, the value provided for the externalHostName setting is used as the Service Partition Name.

If you do not find a FIM Service installation with the same servicePartitionName value as that used by the Service Partition Name attribute on the request, you must configure a FIM Service to use the request’s Service Partition Name.

To configure FIM Service to use the request’s Service Partition Name

  1. For any FIM Service installation, open the Microsoft.ResourceManagement.Service.Exe.config file.

  2. Modify the value configured for servicePartitionName in the configuration file or add the property to the configuration file’s resourceManagementService section as follows:

    <?xml version="1.0" encoding="utf-8"?><configuration><resourceManagementService servicePartitionName = “FIMService1”/></configuration>

Important

If a request has a Service Partition Name value of FIM SYSTEM, it can be managed by any FIM Service, regardless of the FIM Service’s servicePartitionName. Do not use the value FIM SYSTEM for the servicePartitionName or serviceName setting of any FIM Service.

If the request or workflow instance remains stuck even after ensuring that a FIM Service with the same Service Partition Name exists, the problem may be related to the Service Name that the request’s workflow instances are tied to.

When a workflow instance is running and is not in a dehydrated state, it is tied to the specific Service Name assigned to the FIM Service instance that it is running on. A running workflow instance can only be managed by a FIM Service instance that has the same Service Name as the one that the workflow instance is tied to.

If any of the following has taken place after the CreatedTime listed on the request or workflow instance, you may need to adjust the Service Name setting of a FIM Service installation:

  1. A FIM Service server was taken offline.

  2. The server hosting a FIM Service was renamed.

  3. The database from one FIM Service instance was restored on a different computer.

You can adjust the Service Name of a FIM Service as follows:

To adjust the Service Name of a FIM Service

  1. Open the Microsoft.ResourceManagement.Service.exe configuration file.

  2. Modify the value configured for serviceName in the configuration file or add the property to the configuration file’s resourceManagementService section as follows:

    <?xml version="1.0" encoding="utf-8"?><configuration><resourceManagementService serviceName = “machine1”/></configuration>

Scenario: A workflow instance was terminated

A workflow has a Workflow Status of Terminated.

Resolution

As a starting point in investigating any workflow-related issue, begin by viewing the Request Status Detail attribute on the associated request resource. If you cannot find enough helpful information in this attribute, perform the following procedure to view any additional information about the error, which is saved to the Workflow Status Detail of the affected workflow.

To view additional information about the error

  1. Log on to the FIM Portal as an administrator.

  2. On the home page, under Administration, click All Resources, and then click Workflow Instance.

  3. Click Advanced Search.

  4. Click Add Statement, then click Click to select attribute and select Request.

  5. Click Click to select value and select the request by either searching by its Display Name or its ResourceID.

  6. Click Add Statement, then click Click to select attribute and select Workflow status.

  7. Click Click to select value, type Terminated, and then click Search.

Note

As an alternative to using the advanced search, you can use a search scope with the following XPath filter to identify terminated workflows: /WorkflowInstance[Request = '2b2bb0b4-695d-43f5-b167-d479834756ff' and WorkflowStatus = 'Terminated']

Investigate the workflows returned by your search by opening them in the FIM Portal and viewing the value of their Workflow Status Detail attribute to get specific details of the error encountered.

Case 1: The workflow logic terminated the workflow

Workflows terminate if they throw an unhandled exception. This is often the case in authentication and authorization workflows when the workflow logic determines that the request should not be authenticated or authorized.

To see if the workflow included a message indicating why it terminated, view the RequestStatusDetail attribute on the associated request resource and the WorkflowStatusDetail on the associated workflow instance resource.

Case 2: The workflow’s request failed

If the workflow submits requests to the FIM Service, it is possible that one of the requests failed or was denied. If this is the case, refer to the Scenario: A request fails section.

It is also possible that the workflow is attempting to perform an operation on a resource that no longer exists.

Case 3: The authentication workflow failed due to a FIM Service interruption

If the FIM Service is shut down or stopped while an authentication workflow is running, the workflow is terminated when the FIM Service restarts. The request associated with the failed workflow must be resubmitted.

Case 4: The workflow failed to persist

If a public property on the workflow cannot be serialized, the workflow fails when attempting to persist. To resolve this problem, all the public properties on workflows must be marked as serializable and the failed workflows need to be rerun.

Case 5: Workflow activity code error

If the terminated workflow contains a custom workflow activity, there is a possibility that an error has been encountered in the custom activity code or logic. Test the custom activity thoroughly in the test environment to ensure that the activity works as expected. Workflow activities must be able to run multiple times on the same target resource or be resumed from any persistence point.

Case 6: Workflow version mismatch

The XOML of a workflow definition contains a reference to the version number of the Microsoft.ResourceManagement.dll assembly. If the version of this assembly changes, the following steps are needed:

  1. Binding redirection must be added to the Microsoft.ResourceManagement.Service.exe configuration file for the updated FIM Service, redirecting calls to the Microsoft.ResourceManagement.dll assembly from the old version to the newly installed version.

    Note

    If an installation of FIM is updated through a software update, this binding redirection should automatically be added by the update installation.

  2. Ensure that the old version of the Microsoft.ResourceManagement.dll assembly (the version prior to the update) is in the Global Assembly Cache (GAC). This is needed to allow workflow instances created prior to the update to be rehydrated. If the old version of the Microsoft.ResourceManagement.dll assembly cannot be found, the workflow instances that were persisted prior to the installation of the software update need to be canceled.

Web Service Interface

The following scenarios relate to troubleshooting SOAP messages custom clients send to the FIM Service.

Scenario: SecurityNegotiationException

Custom client receives exception System.ServiceModel.Security.SecurityNegotiationException.

Resolution

  • This is a Windows Communication Foundation (WCF) or network-level failure that is independent of the FIM Service.

  • Verify that the credentials for the client are correct.

    • Ensure that the username and password are valid Active Directory® accounts.
  • Verify that the domain controller is reachable.

  • Verify that the Kerberos version 5 protocol delegation and the Service Principal Name (SPN) is properly configured for the FIM Service.

Exchange Mail Listener

The Exchange Mail Listener polls Microsoft Exchange Web Services periodically to process incoming Microsoft Office Outlook® requests and to send outgoing approval mails.

Scenario: Cannot connect to Exchange

FIM Service cannot send outgoing mail or does not process Office Outlook requests. The Application Log contains multiple errors with Event ID 12.

Resolution

To verify that Exchange Web Service is reachable from the FIM Service computer

  1. Ensure that the mailServer value in the Microsoft.ForefrontIdentityManager.exe.config file is correct.

  2. Open the mailServer value address (typically https://server/ews/exchange.asmx) in Windows Internet Explorer®.

To verify that the Exchange Web Service certificate is valid and trusted by the FIM Service computer

  1. Log in to the computer as the FIM Service account and, in Internet Explorer, open the Exchange Web Service address.

  2. Ensure that the Web Service Description Language (WSDL) appears without certificate errors or access denied errors.

To verify that the FIM Service account has an active mailbox in Exchange Web Service

  1. Log on to Office Outlook Web Access as the FIM Service account.

Scenario: Exchange does not process group management requests

The FIM Service can process approval responses from Outlook but cannot process any group management requests. The Application log does not contain errors with Event ID 12.

Resolution

Ensure that FIM is configured to actively poll Exchange for Group Management Requests. Verify that the following registry value is set to 1:

SYSTEM\CurrentControlSet\Services\FIMService\PollExchangeEnabled

If the registry value is 0, then you must restart the service in order for the change to take effect.

Configuration Migration

Migrating a configuration between two FIM Services often exposes unseen dependencies. To avoid many of these scenarios, follow the steps listed in the FIM 2010 Configuration Migration Tool Deployment Guide (https://go.microsoft.com/fwlink/?LinkID=165849) in the FIM documentation.

Scenario: Failure importing a change

A failure occurs from importing a change.

Resolution

  • Open the undone.xml file and inspect the first ImportObject.

    • This ImportObject is the one that could not be imported successfully.

    • To troubleshoot the cause of why this request failed, follow the instructions in the Scenario: A request fails section.

  • It may be necessary to edit the ImportObject and remove the problem change.

Scenario: Migrating changes to Display Names

You want to migrate a change to a display name for policy resources such as MPRs. The cmdlets produce two changes: a Delete for the existing resource and a Create for a new resource with the different display name.

Resolution

For many resource types, such as MPRs, the default join criteria is to use the display name as the only anchor attribute between two systems.

  • Use different join criteria to match resources between environments.

  • Bind a custom attribute to all configuration object types and use that attribute as the join criteria.

Scenario: Cycles in configuration

The Compare-FIMConfig cmdlet displays an error when a cycle exists in the pilot configuration.

Because the Compare-FIMConfig cmdlet displays a list of changes in order of precedence, there must be no cycles among the references of configuration objects.

Resolution

To resolve a cycle conflict

  1. You must break the cycle manually.

  2. Start with the ResourceID of one of the resources included in the cycle.

  3. Follow that resource’s references to other resources and identify the cycle.

    • A common cycle is two sets that refer to each other.
  4. Remove one of the references from the cycle.

  5. Restart the migration process.

FIM Service Performance Counters

Enable WCF performance counters

FIM uses WCF performance counters to monitor your service usage. Monitoring service usage with WCF performance counters is an optional step to turn on when diagnosing performance problems. It is not necessary to leave performance counters turned on for normal operations. To turn on and configure WCF performance counters, follow the instructions in Enabling Performance Counters (https://go.microsoft.com/fwlink/?LinkId=164848), and edit Microsoft.ResourceManagement.Service.exe.config located in the FIM installation directory.

Adding performance counters to the Windows Performance Monitor

Once WCF performance counters are turned on and the FIM Service is started, the counters may be viewed in the Windows Reliability and Performance Monitor (perfmon.exe). For more information about the Windows Reliability and Performance Monitor, see the Windows Performance Monitor article (https://go.microsoft.com/fwlink/?LinkID=140807).

ServiceModelService instances

The FIM Service WCF counters are listed under ServiceModelService 3.0.0.0, ServiceModelEndpoint 3.0.0.0, and ServiceModelOperation 3.0.0.0. The following table summarizes the individual WCF services listed in ServiceModelService 3.0.0.0.

Service Description

resourcemanagementservice@exchange.mail

The primary Web service interface of FIM. This service exposes the Resource, ResourceFactory, and Enumeration endpoints that the FIM Portal uses to make requests. Additionally, this service polls the monitored Exchange mailbox.

securitytokenservice@http

The primary Web service interface for password reset. This service exposes the Security Token Service that the password reset feature uses to register and reset passwords.

sequentialworkflow@[guid]

Most environments have multiple sequential workflow services turned on. Each sequential workflow represents one workflow definition that contains an approval activity. By default, there are two workflow definitions. This service exposes the Resource and ResourceFactory endpoints that the FIM Portal uses to submit approvals.

ServiceModelEndpoint instances

The following table summarizes the individual WCF endpoints in ServiceModelEndpoint 3.0.0.0 (## indicates a number that is environment-specific).

Endpoint Description

resourcemanag##.imetadataexcha## @##resourcemanagementservice|mex

https://server:5725/ResourceManagementService/MEX

The MetadataExchange endpoint exposes the IMetadataExchange interface that returns the service metadata.

Calls to this endpoint should occur on periodic intervals—every 10 or 15 minutes—as the FIM Portal refreshes its schema. This endpoint should produce no faults or failures. Such failures indicate a corruption of schema configuration.

resourcemanag##.resource @##cemanagementservice|alternate

https://server:5725/ResourceManagementService/Alternate

The Alternate endpoint exposes the Resource interface that anonymous users can use to initiate the password reset process.

Calls to this endpoint generally measure end users who are initiating self-service password resets. All calls to this endpoint should generate corresponding faults because all requests to this endpoint generate an authentication workflow.

resourcemanag##.resource @##rcemanagementservice|resource

https://server:5725/ResourceManagementService/Resource

The Resource endpoint exposes the Resource interface that authenticated users can use to read, update, and delete existing objects in the FIM Service.

Calls to this endpoint generally measure end users who are initiating self-service group management and user profile management requests. Most calls to this endpoint should generate corresponding faults that represent authorization workflows. The proportion of faults depends on the usage and the configuration.

resourcemanag##.resourcefactory @##gementservice|resourcefactory

https://server:5725/ResourceManagementService/ResourceFactory

The ResourceFactory endpoint exposes the ResourceFactory interface that authenticated users can use to create new objects in the FIM Service.

Calls to this endpoint generally measure end users who are initiating self-service group management creation requests. Most calls to this endpoint should not generate corresponding faults because the default implementation has no authorization workflow for group creation. The proportion of faults depends on the usage and the configuration.

resourcemanag##.resourcemail @##anagementservice|resourcemail

An internal endpoint used to route Exchange mail from the monitored Exchange mailbox.

resourcemanag##.search @##managementservice|enumeration

https://server:5725/ResourceManagementService/Enumeration

The Search endpoint exposes the Enumeration endpoint that authenticated users can use to query existing objects in the FIM Service by using XPath filters.

Calls to this endpoint generally measure end users who are querying the service. Many FIM Portal operations result in queries. For example, loading the FIM Portal involves querying for portal configuration objects that describe how to lay out the Web page. Most calls should not generate corresponding faults.

sequentialwor##.imetadataexcha## @[guid]

Most environments have multiple sequential workflow MetadataExchange endpoints turned on. Each sequential workflow MetadataExchange endpoint returns the metadata of the object required to complete the workflow on the corresponding sequential workflow resourcefactory endpoint.

Calls to this endpoint generally measure Web service clients that are refreshing their schema for the approval scenario. Most calls should not generate corresponding faults.

sequentialwor##.resourcefactory @[guid]

Similar to the previous MetadataExchange endpoint, most environments have multiple ResourceFactory endpoints turned on for each sequential workflow. Each ResourceFactory endpoint accepts an object that the workflow uses to complete a request. For example, the approval workflow accepts an approval object to signify the request is approved.

Calls to this endpoint generally measure end users who are approving requests. Most calls should not generate corresponding faults.

ServiceModelOperation instances

The following table summarizes the individual WCF operations in ServiceModelOperation 3.0.0.0. Each of the endpoints described previously in ServiceModelEndpoint instances implements one or many endpoint interfaces. Each operation described in the following table is present in the endpoint interface listed and may be matched.

Operation Endpoint interface Description

Create

ResourceFactory

The Create operation is used to create FIM Service objects such as groups and submit approvals.

Put

Resource

The Put operation is used to update an existing FIM Service object. For example, updating a group’s display name or adding a member are both accomplished by the Put operation.

Additionally, on the Alternate endpoint, the Put operation is used to initiate the password reset process.

Delete

Resource

The Delete operation is used to delete an existing FIM Service object.

Get

Resource

The Get operation is used to retrieve an existing FIM Service object.

Enumerate

Enumeration

The Enumerate operation is used to query for existing objects that match a given filter.

Pull

Enumeration

The Pull operation is used to retrieve additional objects that match an initial Enumerate but could not fit in the initial response.

Get

IMetadataExchange

The Get operation is used to retrieve the metadata of a service.

Interpreting performance counter results

The WCF performance counters measure broadly the requests made to the system and their outcomes.

One specific note is that FIM uses SOAP faults to communicate that authentication and authorization workflows are running, and, in typical deployments, most requests lead to such workflows and therefore most requests lead to SOAP faults. There are no published thresholds of FIM Service WCF counters.

The following table summarizes WCF counters that are relevant to FIM.

Counters Description

Calls

Calls Per Second

Measures individual SOAP requests made to the interface. In many cases, a single operation in the FIM Portal or in the password reset feature consists of multiple SOAP requests.

Calls Faulted

Calls Faulted Per Second

Measures individual SOAP responses that are SOAP faults. Many operations such as requesting to join a group or initiating the password reset process result in SOAP faults. These faults are expected for most end-user requests. Use Calls Faulted and Calls Faulted Per Second to measure the general load of requests to change the system.

To measure specific requests, query the number of request objects in the FIM Service. instead

Calls Failed

Calls Failed Per Second

Measures all SOAP responses that are SOAP faults and WCF communication failures. In addition to the faults measured by Calls Faulted, Calls Failed measures WCF authentication failures, requests with misconfigured SOAP action elements, and other corrupt SOAP requests. Use Calls Failed and Calls Failed Per Second to measure all calls which result in any response other than a normal SOAP response.

Calls duration

Measures the duration of individual SOAP requests. Use Calls Duration to generally measure the responsiveness of the FIM Portal and the password reset feature.

Measuring specific scenarios

Turn on the following performance counters to measure the following common scenarios.

Scenario Counters to Turn On

Password reset requests

Calls or Calls Per Second on ServiceModelOperation instance resou##.resou##.put@##cemanagementservice|alternate

Password reset responsiveness

Calls Duration on ServiceModelEndpoint instance resourcemanag##.resource @##cemanagementservice|alternate

Completed approvals

Calls or Calls Per Second on all ServiceModelEndpoint instances sequentialwor##.resourcefactory @[guid]

FIM Portal responsiveness

Calls Duration on ServiceModelService instance resourcemanagementservice@exchange.mail

General FIM Portal load

Calls or Calls Per Second on ServiceModelService instance resourcemanagementservice@exchange.mail

FIM Portal

The FIM Portal provides an end-user experience for managing groups and approving requests.

Scenario: Cannot connect to the FIM Service

The FIM Portal cannot connect to the FIM Service. The Application Log contains an error event with Event ID 10.

Resolution
  • Verify that the configuration settings point to the correct FIM Service.

    • See the web.config file or reinstall the portal.
  • Verify network connectivity between the FIM Portal and FIM Service.

  • If the FIM Portal is on a different server than the FIM Service, verify that ports 5725 and 5726 allow incoming HTTP traffic.

  • Verify that the FIM Service is running.

FIM Synchronization Service

FIM Management Agent

Scenario: Export failure

Exporting changes to the FIM Service results in failed-creation-via-web-services.

Resolution
  • Inspect the cause of the failure by clicking on the failed-creation-via-web-services link.

  • The dialog box contains the fault details with diagnostic information from the FIM Service.

    Note

    The information in this dialog box is the same information you would find in the diagnostic log; the FIM MA saves you the correlation Step.

    Note

    It may be necessary to begin diagnosing the request following the instructions in the Scenario: A request fails section.

  • Common fault details:

    1. InvalidRepresentation - The failure is in parsing the user input or the input violates public constraints such as the schema.

    2. UnwillingToPerform – The request failed to dispatch. For example, running the FIM MA on an account the FIM service doesn’t think is the FIM MA will trigger this fault.

    3. PermissionDenied – The request was dispatched but failed to complete. In general this can be related to an Authorization workflow, but for the FIM MA this is an issue with a missing or misconfigured MPR.

    4. EndpointUnavailable - A cross-cutting failure which also emits a health event.